Your message dated Mon, 15 Aug 2011 12:02:18 +0000 with message-id <E1Qsvs2-0006UR-8k@franck.debian.org> and subject line Bug#636314: fixed in apt 0.8.15.6 has caused the Debian Bug report #636314, regarding apt: Packages.bz2 checksum mismatch not detected to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 636314: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=636314 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apt: Packages.bz2 checksum mismatch not detected
- From: Hamish Moffatt <hamish@debian.org>
- Date: Tue, 02 Aug 2011 04:14:18 -0400
- Message-id: <[🔎] 20110802081418.28159.9767.reportbug@li154-67.members.linode.com>
Package: apt Version: 0.8.10.3+squeeze1 Severity: important I have a test repository containing a Packages.bz2 file with different checksums than what is listed in the signed Release file. However, 'apt-get update' does not report any error and shows the resulting packages in the output of 'apt-cache policy'. This occurs when accessing the repository with http. I think I have seen errors reported when using file:/ urls (and uncompressed Packages) files but I am not certain now. I've attached a test repository; it's not signed, but I've tried with signed repositories too. eg rsync dists/squeeze from a Debian mirror then mess with main/binary-i386/Packages.bz2 -- Package-specific info: -- apt-config dump -- APT ""; APT::Architecture "i386"; APT::Build-Essential ""; APT::Build-Essential:: "build-essential"; APT::Install-Recommends "1"; APT::Install-Suggests "0"; APT::Acquire ""; APT::Acquire::Translation "environment"; APT::NeverAutoRemove ""; APT::NeverAutoRemove:: "^firmware-linux.*"; APT::NeverAutoRemove:: "^linux-firmware$"; APT::NeverAutoRemove:: "^linux-image.*"; APT::NeverAutoRemove:: "^kfreebsd-image.*"; APT::NeverAutoRemove:: "^linux-restricted-modules.*"; APT::NeverAutoRemove:: "^linux-ubuntu-modules-.*"; APT::Never-MarkAuto-Sections ""; APT::Never-MarkAuto-Sections:: "metapackages"; APT::Never-MarkAuto-Sections:: "restricted/metapackages"; APT::Never-MarkAuto-Sections:: "universe/metapackages"; APT::Never-MarkAuto-Sections:: "multiverse/metapackages"; APT::Never-MarkAuto-Sections:: "oldlibs"; APT::Never-MarkAuto-Sections:: "restricted/oldlibs"; APT::Never-MarkAuto-Sections:: "universe/oldlibs"; APT::Never-MarkAuto-Sections:: "multiverse/oldlibs"; Dir "/"; Dir::State "var/lib/apt/"; Dir::State::lists "lists/"; Dir::State::cdroms "cdroms.list"; Dir::State::mirrors "mirrors/"; Dir::State::extended_states "extended_states"; Dir::State::status "/var/lib/dpkg/status"; Dir::Cache "var/cache/apt/"; Dir::Cache::archives "archives/"; Dir::Cache::srcpkgcache "srcpkgcache.bin"; Dir::Cache::pkgcache "pkgcache.bin"; Dir::Etc "etc/apt/"; Dir::Etc::sourcelist "sources.list"; Dir::Etc::sourceparts "sources.list.d"; Dir::Etc::vendorlist "vendors.list"; Dir::Etc::vendorparts "vendors.list.d"; Dir::Etc::main "apt.conf"; Dir::Etc::netrc "auth.conf"; Dir::Etc::parts "apt.conf.d"; Dir::Etc::preferences "preferences"; Dir::Etc::preferencesparts "preferences.d"; Dir::Etc::trusted "trusted.gpg"; Dir::Etc::trustedparts "trusted.gpg.d"; Dir::Bin ""; Dir::Bin::methods "/usr/lib/apt/methods"; Dir::Bin::dpkg "/usr/bin/dpkg"; Dir::Media ""; Dir::Media::MountPath "/media/apt"; Dir::Log "var/log/apt"; Dir::Log::Terminal "term.log"; Dir::Log::History "history.log"; Dir::Ignore-Files-Silently ""; Dir::Ignore-Files-Silently:: "~$"; Dir::Ignore-Files-Silently:: "\.disabled$"; Dir::Ignore-Files-Silently:: "\.bak$"; Dir::Ignore-Files-Silently:: "\.dpkg-[a-z]+$"; DPkg ""; DPkg::Pre-Install-Pkgs ""; DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true"; CommandLine ""; CommandLine::AsString "apt-config dump"; -- (no /etc/apt/preferences present) -- -- /etc/apt/sources.list -- #deb http://ftp.us.debian.org/debian/ etch main non-free contrib #deb http://http.us.debian.org/debian/ etch main non-free contrib #deb-src http://ftp.us.debian.org/debian/ etch main non-free contrib # #deb http://security.debian.org/ etch/updates main contrib non-free #deb http://volatile.debian.org/debian-volatile etch/volatile main deb http://ftp.us.debian.org/debian/ squeeze main non-free contrib deb-src http://ftp.us.debian.org/debian/ squeeze main non-free contrib deb http://ftp.us.debian.org/debian/ squeeze-updates main non-free contrib deb-src http://ftp.us.debian.org/debian/ squeeze-updates main non-free contrib deb http://security.debian.org/ squeeze/updates main contrib non-free #deb http://volatile.debian.org/debian-volatile squeeze/volatile main #deb http://www.backports.org/debian squeeze-backports main contrib non-free -- System Information: Debian Release: 6.0.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.39.1-linode34 (SMP w/4 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages apt depends on: ii debian-archive-keyring 2010.08.28 GnuPG archive keys of the Debian a ii gnupg 1.4.10-4 GNU privacy guard - a free PGP rep ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib ii libgcc1 1:4.4.5-8 GCC support library ii libstdc++6 4.4.5-8 The GNU Standard C++ Library v3 ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime apt recommends no packages. Versions of packages apt suggests: pn apt-doc <none> (no description available) ii aptitude 0.6.3-3.2 terminal-based package manager (te ii bzip2 1.0.5-6 high-quality block-sorting file co ii dpkg-dev 1.15.8.11 Debian package development tools ii lzma 4.43-14 Compression method of 7z format in ii python-apt 0.7.100.1+squeeze1 Python interface to libapt-pkg -- no debconf informationAttachment: test-bz2-hash-error.tar
Description: Unix tar archive
--- End Message ---
--- Begin Message ---
- To: 636314-close@bugs.debian.org
- Subject: Bug#636314: fixed in apt 0.8.15.6
- From: Michael Vogt <mvo@debian.org>
- Date: Mon, 15 Aug 2011 12:02:18 +0000
- Message-id: <E1Qsvs2-0006UR-8k@franck.debian.org>
Source: apt Source-Version: 0.8.15.6 We believe that the bug you reported is fixed in the latest version of apt, which is due to be installed in the Debian FTP archive: apt-doc_0.8.15.6_all.deb to main/a/apt/apt-doc_0.8.15.6_all.deb apt-transport-https_0.8.15.6_amd64.deb to main/a/apt/apt-transport-https_0.8.15.6_amd64.deb apt-utils_0.8.15.6_amd64.deb to main/a/apt/apt-utils_0.8.15.6_amd64.deb apt_0.8.15.6.dsc to main/a/apt/apt_0.8.15.6.dsc apt_0.8.15.6.tar.gz to main/a/apt/apt_0.8.15.6.tar.gz apt_0.8.15.6_amd64.deb to main/a/apt/apt_0.8.15.6_amd64.deb libapt-pkg-dev_0.8.15.6_amd64.deb to main/a/apt/libapt-pkg-dev_0.8.15.6_amd64.deb libapt-pkg-doc_0.8.15.6_all.deb to main/a/apt/libapt-pkg-doc_0.8.15.6_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 636314@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Vogt <mvo@debian.org> (supplier of updated apt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Mon, 15 Aug 2011 09:20:35 +0200 Source: apt Binary: apt apt-doc libapt-pkg-dev libapt-pkg-doc apt-utils apt-transport-https Architecture: source all amd64 Version: 0.8.15.6 Distribution: unstable Urgency: low Maintainer: APT Development Team <deity@lists.debian.org> Changed-By: Michael Vogt <mvo@debian.org> Description: apt - Advanced front-end for dpkg apt-doc - Documentation for APT apt-transport-https - APT https transport apt-utils - APT utility programs libapt-pkg-dev - Development files for APT's libapt-pkg and libapt-inst libapt-pkg-doc - Documentation for APT development Closes: 636314 Changes: apt (0.8.15.6) unstable; urgency=low . [ Michael Vogt ] * apt-pkg/contrib/fileutl.{cc,h}: - add GetModificationTime() helper * apt-pkg/pkgcachegen.cc: - regenerate the cache if the sources.list changes to ensure that changes in the ordering there will be honored by apt * apt-pkg/sourcelist.{cc,h}: - add pkgSourceList::GetLastModifiedTime() helper * apt-pkg/pkgcachegen.{cc,h}: - use ref-to-ptr semantic in NewDepends() to ensure that the libapt does not segfault if the cache is remapped in between (LP: #812862) - fix crash when P.Arch() was used but the cache got remapped * test/integration/test-hashsum-verification: - add regression test for hashsum verification * apt-pkg/acquire-item.cc: - if no Release.gpg file is found, still load the hashes for verification (closes: #636314) and add test . [ David Kalnischkies ] * lots of cppcheck fixes Checksums-Sha1: 2be9992b140d381ace377f779f5741af760946cb 1358 apt_0.8.15.6.dsc 4bcdfc7d745f7a4d50cf73a9afed2bbbc5ee6bb4 3378253 apt_0.8.15.6.tar.gz 95704778a835b2664e3cb295a42ff3d3c3f2b0b9 241060 apt-doc_0.8.15.6_all.deb fc568361a6b22ead560943133873c0dee70da31c 738648 libapt-pkg-doc_0.8.15.6_all.deb 0d097b9146c34a9c3e14d46e697fe61e080bb711 2186030 apt_0.8.15.6_amd64.deb 516820d3ea67b0f15dc549042a974ba3617cdd82 161102 libapt-pkg-dev_0.8.15.6_amd64.deb c6193d68dd10a944706fded7737411f51b50b58c 289080 apt-utils_0.8.15.6_amd64.deb fdfdfa488c7e517fbbb812519ad198f8b80e4c64 90970 apt-transport-https_0.8.15.6_amd64.deb Checksums-Sha256: 64110690ca39d3e8964689c0a97176a93edd9fadfc101e209d04e95b9576a041 1358 apt_0.8.15.6.dsc bdc36fdfb7727a120d1ae14b02f8d6b68f9ca4e619c719d6ec17165d5d6b4b0a 3378253 apt_0.8.15.6.tar.gz e5c7e6a2b5e12814f9441262521e57ca63ebf7004ac7db527ffb19f1762a0f40 241060 apt-doc_0.8.15.6_all.deb f0f65644d91bdcbe5df35485b469ee9d28d7f03d3057c52c0b771fe8b9f9d573 738648 libapt-pkg-doc_0.8.15.6_all.deb 86902233c0365279961967b3add3aaf18ec0ba84685b0cbe22eeeaf69bea9c88 2186030 apt_0.8.15.6_amd64.deb d15e0b38c727343cbd2b4a9c13e7068c4475763b8d07f2e077efa5b9de16aa7c 161102 libapt-pkg-dev_0.8.15.6_amd64.deb 297d655c291f82939ff4c1b923b08dfe10aee332c4a37215fdcd779d1acf12f1 289080 apt-utils_0.8.15.6_amd64.deb 2246090e7e70fd21dd536b48bb4c7eb7ccf8e28537677968b0590afc38f6d5d8 90970 apt-transport-https_0.8.15.6_amd64.deb Files: 215112488e5db00a204aac0e1fd134c4 1358 admin important apt_0.8.15.6.dsc ed88f451fc5023b4983fe0a326af493f 3378253 admin important apt_0.8.15.6.tar.gz 569942ab6c900147fb3c0d875b30310c 241060 doc optional apt-doc_0.8.15.6_all.deb 40e663c4465142231dd7cf3776f1e246 738648 doc optional libapt-pkg-doc_0.8.15.6_all.deb c9e48a11c83bd34ecab112d8c74f4559 2186030 admin important apt_0.8.15.6_amd64.deb 9f01d2f08f17b0781a11c2a5dc456b2e 161102 libdevel optional libapt-pkg-dev_0.8.15.6_amd64.deb 7cd6d2a3daad7f92fd11c65dbb5fc10b 289080 admin important apt-utils_0.8.15.6_amd64.deb da11d07f0c963b784beaa549257c7405 90970 admin optional apt-transport-https_0.8.15.6_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk5I2JMACgkQliSD4VZixzRAwQCgmF818taxJco9V4nAgHokdnOa l3gAniieAWNfgD42LlCkNPMa4edpHtMm =Rmf5 -----END PGP SIGNATURE-----
--- End Message ---